Re: SSL Session Reuse in APR based connector
Thanks Chirs. On Thu, Nov 26, 2015 at 11:12 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Sanullah, > > On 11/26/15 11:21 AM, Sanaullah wrote: > > we are currently running tomcat 8 and I am trying to achieve higher > > performance. one of the process is to use the SSL Session reuse which > will > > reduce the CPU intensive computation. > > > > Can someone let me know if its supported for APR based connector and also > > let me know the right parameter to use? > > Are you talking about "session tickets"? > > I don't believe Tomcat supports session tickets using any SSL connector. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
SSL Session Reuse in APR based connector
Hi, we are currently running tomcat 8 and I am trying to achieve higher performance. one of the process is to use the SSL Session reuse which will reduce the CPU intensive computation. Can someone let me know if its supported for APR based connector and also let me know the right parameter to use? Regards, Sanaullah
Re: Tomcat 7 and APR connector parameters
Hi Igro, I think you need to add the protocol attribute in the connector configuration so that it will load the connector with APR protocol="org.apache.coyote.http11.Http11AprProtocol" If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment variables contain the Tomcat native library, the APR/native connector will be used. If the native library cannot be found, the blocking Java based connector will be used. Note that the APR/native connector has different settings for HTTPS than the Java connectors. you can verify the protocol attribute document here [1] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Regards, Sanaullah On Mon, Sep 21, 2015 at 12:37 PM, Igor Cicimov wrote: > Hi all, > > After enabling the APR/Native connector I can see the following warning > messages upon tomcat restart: > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'SSLDisableCompression' to 'true' did not find a matching property. > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'SSLHonorCipherOrder' to 'true' did not find a matching property. > > although I can see those options available in the documentation: > > https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > The relevant config in server.xml: > >SSLEngine="on" /> > > scheme="https" secure="true" SSLEnabled="true" >SSLDisableCompression="true" >SSLProtocol="all" >SSLHonorCipherOrder="true" >SSLCipherSuite="EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM > EECDH+ECDSA+SHA384 >EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 >EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP > !DSS !RC4" >SSLCertificateChainFile="${catalina.base}/conf/cachain.pem" >SSLCertificateFile="${catalina.base}/conf/star.pem" >SSLCertificateKeyFile="${catalina.base}/conf/star_key.pem" /> > > Am I missing something or am I maybe hitting some limitation related to > tomcat/apr/tcnative version? > > > OS: Ubuntu 12.04.5 LTS > Tomcat: 7.0.26 (Ubuntu repository) > openssl: 1.0.1-4ubuntu5.31 > libtcnative-1: 1.1.22-1build1 > > Thanks, > Igor >
Re: FIPS compliancy on Tomcat 7.00.062
if you remove the entire ciphers attribute from the server.xml then by default ssl/TLS session pick the best available cipher from the ssl/tls handshake version. On Wed, Aug 5, 2015 at 4:10 PM, Nikitha Benny wrote: > Hi Sanaullah, > > That is because we have removed the entire "ciphers" attribute from the > server.xml file. > But that should be fine as the non complaint FIPS also has the "cipher" > attribute removed and it shows the similar client to server conection and > runs fine. > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah wrote: > > > run this command with debugging prints. > > > > openssl s_client -connect 16.183.93.84:8444 -debug -msg > > > > > Protocol : *TLSv1.2* > > > Cipher: > > it seems something broken as there is no Cipher > > > > Regards, > > Sanaullah > > > > > > > > On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny > > wrote: > > > > > Hi Mark, Sanaullah, > > > > > > Thank you for your valuable suggestion. > > > > > > I just ran the openssl s_client scan, and it looks like the server side > > is > > > running fine on *TLSv1.2* Protocol. > > > > > > [root]## *openssl s_client -connect 16.183.93.84:8444 > > > <http://16.183.93.84:8444>* > > > CONNECTED(0003) > > > - - - - - - - > > > - - - - - - - > > > - - - - - - - > > > - - - - - - - > > > > > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > > > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > > > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > > > d/A4 > > > -END CERTIFICATE- > > > subject=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > > > IWFVM01284.hpswlabs.adapps.hp.com > > > issuer=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > > > IWFVM01284.hpswlabs.adapps.hp.com > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 1476 bytes and written 7 bytes > > > --- > > > New, (NONE), Cipher is (NONE) > > > Server public key is 2048 bit > > > Secure Renegotiation IS supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : *TLSv1.2* > > > Cipher: > > > Session-ID: > > > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > > > Session-ID-ctx: > > > Master-Key: > > > Key-Arg : None > > > Krb5 Principal: None > > > PSK identity: None > > > PSK identity hint: None > > > Start Time: 1438771286 > > > Timeout : 300 (sec) > > > Verify return code: 18 (self signed certificate) > > > > > > So could it be an issue with the browser? > > > Since the browser is not FIPS compliant, could it be the reason for the > > > issue? > > > > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah > wrote: > > > > > > > Hi Nikhita, > > > > > > > > run the sslscan tool from the command line or openssl s_client in > debug > > > > mode > > > > https://github.com/rbsec/sslscan > > > > > > > > Regards, > > > > Sanaullah > > > > > > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny > > > > > wrote: > > > > > > > > > Hi Mark, > > > > > > > > > > My server is not on a public domain. > > > > > How can i verify the setup which is on a private network? > > > > > > > > > > Regards, > > > > > Nikitha > > > > > > > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas > > wrote: > > > > > > > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > > > > Hi Mark, > > > > > > > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > > > > > > > *https://:8444/* > > > > > > > > > > > > > > It says as below: > > > > > > > -- > > > > > > > > > > > > > > *SSL connection error* > >
Re: FIPS compliancy on Tomcat 7.00.062
run this command with debugging prints. openssl s_client -connect 16.183.93.84:8444 -debug -msg > Protocol : *TLSv1.2* > Cipher: it seems something broken as there is no Cipher Regards, Sanaullah On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny wrote: > Hi Mark, Sanaullah, > > Thank you for your valuable suggestion. > > I just ran the openssl s_client scan, and it looks like the server side is > running fine on *TLSv1.2* Protocol. > > [root]## *openssl s_client -connect 16.183.93.84:8444 > <http://16.183.93.84:8444>* > CONNECTED(0003) > - - - - - - - > - - - - - - - > - - - - - - - > - - - - - - - > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > d/A4 > -END CERTIFICATE- > subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1476 bytes and written 7 bytes > --- > New, (NONE), Cipher is (NONE) > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : *TLSv1.2* > Cipher: > Session-ID: > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1438771286 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > So could it be an issue with the browser? > Since the browser is not FIPS compliant, could it be the reason for the > issue? > > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah wrote: > > > Hi Nikhita, > > > > run the sslscan tool from the command line or openssl s_client in debug > > mode > > https://github.com/rbsec/sslscan > > > > Regards, > > Sanaullah > > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny > > wrote: > > > > > Hi Mark, > > > > > > My server is not on a public domain. > > > How can i verify the setup which is on a private network? > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas wrote: > > > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > > Hi Mark, > > > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > > > *https://:8444/* > > > > > > > > > > It says as below: > > > > > -- > > > > > > > > > > *SSL connection error* > > > > > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > > > > > *Unable to make a secure connection to the server. This may be a > > > problem > > > > > with the server, or it may be requiring a client authentication > > > > certificate > > > > > that you don't have* > > > > > ** > > > > > > > > That is the client side. What about server side logs? > > > > > > > > > We have set the client authentication to False, so it does not need > > any > > > > > client authorized certificate. > > > > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your > > > > server. That will tell you if you have a server side issue, a client > > > > side issue or simply a mismatch between the two. > > > > > > > > Mark > > > > > > > > > > > > > > Regards, > > > > > Nikitha > > > > > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny < > > nikki.be...@gmail.com> > > > > > wrote: > > > > > > > > > >>> But still Tomcat does not run on the https port. > > > > >> > > > > >> As in, when we run Tomcat on the https server port it does not > > display > > > > the > > > > >> page. > > > > >> Where as it goes through fine on the http port. The url opens. > > > > >> > > > > >> > > > &
Re: FIPS compliancy on Tomcat 7.00.062
Hi Nikhita, run the sslscan tool from the command line or openssl s_client in debug mode https://github.com/rbsec/sslscan Regards, Sanaullah On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny wrote: > Hi Mark, > > My server is not on a public domain. > How can i verify the setup which is on a private network? > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas wrote: > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > Hi Mark, > > > > > > When I try to run Tomcat on the https server port: > > > > > > *https://:8444/* > > > > > > It says as below: > > > -- > > > > > > *SSL connection error* > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > *Unable to make a secure connection to the server. This may be a > problem > > > with the server, or it may be requiring a client authentication > > certificate > > > that you don't have* > > > ** > > > > That is the client side. What about server side logs? > > > > > We have set the client authentication to False, so it does not need any > > > client authorized certificate. > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your > > server. That will tell you if you have a server side issue, a client > > side issue or simply a mismatch between the two. > > > > Mark > > > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny > > > wrote: > > > > > >>> But still Tomcat does not run on the https port. > > >> > > >> As in, when we run Tomcat on the https server port it does not display > > the > > >> page. > > >> Where as it goes through fine on the http port. The url opens. > > >> > > >> > > >> > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas wrote: > > >> > > >>> On 04/08/2015 13:19, Nikitha Benny wrote: > > >>>> Hello Mark, > > >>>> > > >>>> Thanks for your valuable suggestion. > > >>>> > > >>>> We were successful in creating the pkcs12 keystore which picks up > > >>> SHA256 as > > >>>> shown below: > > >>> > > >>> > > >>> > > >>>> But still Tomcat does not run on the https port. > > >>> > > >>> Define "does not run". > > >>> > > >>>> Any clue as to why this happens? > > >>> > > >>> Based on the information provided so far, no. > > >>> > > >>>> The protocol I am using is* > > "org.apache.coyote.http11.Http11Protocol".* > > >>> > > >>> OK. That is the HTTP BIO connector. > > >>> > > >>>> Could it be because I am not using an APR connector protocol? > > >>> > > >>> No. > > >>> > > >>> Mark > > >>> > > >>> > > >>> - > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> > > >>> > > >> > > > > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
Re: Setting SSL in Tomcat 7.0
>>"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA I don't know whats the output of the above command which run and either its executed successfully or not You can follow the below example. I am using linux Machine. root@ubuntu:/home/sanaullah# keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: PK What is the name of your organizational unit? [Unknown]: test What is the name of your organization? [Unknown]: test What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=PK, OU=test, O=test, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for (RETURN if same as keystore password): root@ubuntu:/home/sanaullah# ls root@ubuntu:/home/sanaullah# ls /root/.keystore As i was running the keytool command using root user so the keystore is created in /root/.keystore. you must find the file somewhere in windows and set its path in the connector configuration and also set its password Regards, Sanaullah On Sun, Jul 12, 2015 at 2:42 AM, Joby J. Joseph wrote: > Hi, > > Thanks for the reply. > I have followed the same steps provided by the tomcat documentation. > > https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration > > > First I created the keystore file by executing the command ... > > "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA > > Then I added it in the config file. > > protocol="org.apache.coyote.http11.Http11NioProtocol" >port="8443" maxThreads="200" >scheme="https" secure="true" SSLEnabled="true" >keystoreFile="${user.home}/.keystore" keystorePass="changeit" >clientAuth="false" sslProtocol="TLS"/> > > Here. I got the error as... > > > > SEVERE: Failed to load keystore type JKS with path > C:\Windows\system32\config\systemprofile/.keystore due to > C:\Windows\system32\config\systemprofile\.keystore (The system cannot find > the file specified) > java.io.FileNotFoundException: > C:\Windows\system32\config\systemprofile\.keystore (The system cannot find > the file specified) > at java.io.FileInputStream.open(Native Method) > at java.io.FileInputStream.(Unknown Source) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) > at > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:490) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566) > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417) > at > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:956) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at org.apache.catalina.startup.Catalina.load(Catalina.java:624) > at org.apache.catalina.startup.Catalina.load(Catalina.java:649) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) > > > So, I did a listing of the keystore file and I got the error as Keystore > file does not exist. > > > > Joby J. Joseph > Systems Engineer - Application Support > > > > -Original Message- > From: Sanaullah [mailto:sanaulla...@gmail.com] > Sent: 12/07/2015 12:37 PM > To: Tomcat Users List > Subject: Re: Se
Re: Setting SSL in Tomcat 7.0
Hi Joby, Where is your keystore file ? >>keytool error: java.lang.Exception: Keystore file does not exist: .keystore The Error is self explanatory, "Keystore file does not exist" could you share your server.xml file configuration and also let us know the steps, how did you create the keystore ? Regards, Sanaullah On Sun, Jul 12, 2015 at 2:23 AM, Joby J. Joseph wrote: > Hi, > > > > I need a help for setting up the SSL in Tomcat Server 7.0. > > > > I have created keystore and changed the server.xml file. But, I am getting > the following exception. > > > > Screen for creating the keystore. > > > > > > After this, I did a listing for the keystore values. It shows an error. > > > > keytool -list -keystore .keystore > > and it gives.. > keytool error: java.lang.Exception: Keystore file does not exist: .keystore > > > > Any suggestion this error. > > Where is the keystore file located. > > > > > > Thanks in advance… > > > > > > > > Joby J. Joseph > > Systems Engineer - Application Support > > > > > ** > This message contains confidential information and is intended for the use > of the addressee only. If you are not the intended recipient of this > communication, please delete it immediately, do not copy, distribute or > otherwise share this information, and notify the sender promptly. > > Any views or opinions presented in this e-mail are solely those of the > author and do not necessarily represent those of the Bank. The Bank does > not endorse or accept responsibility for such views and opinions and > accordingly, they are not legally binding on the Bank. > > WARNING: Although the Bank has taken reasonable precautions to ensure no > viruses are present in this e-mail, the Bank cannot accept responsibility > for any loss or damage arising from the use of this e-mail or its > attachments and shall not be liable for the e-mail content transmitted over > the Internet. > * >
Re: Problem with APR library - Tomcat 7
I think in ubuntu/Debian, you can create the file in /usr/share/tomcat7/bin/setenv.sh but still you have to explore, as i am not using the deb package for tomcat installation On Tue, May 19, 2015 at 6:58 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Dejan, > > On 5/19/15 9:45 AM, Dejan Stamenov wrote: > > I have wrote in the message before, I have specified it at: > > /usr/lib/x86_64-linux-gnu. In this folder, I can see libapr-1.so, > > libapr-1.so.0.5.1. and libarputil-1.so.0.5.3 too. > > How about libtcnative? > > > About the Tomcat /bin folder, it doesn't exist on my Tomcat path: > > /etc/tomcat7. Should I create it, including the file too? > > That's not necessary. > > > When I do a search for the setenv.sh file, I can't find it either. > > Tomcat doesn't ship with a setenv.sh file. If you want to use one, > you'll have to create it yourself. If you are using a package-managed > version of Tomcat, those files could be anywhere. When using a > standard Tomcat package downloaded from apache.org (or a mirror), then > setenv.sh should be in CATALINA_BASE/bin/setenv.sh if you'd like to > create one. > > Note that some methods for launching Tomcat ignore setenv.sh (like > using jsvc, for instance). Make sure you know what you are doing > before you do it. > > - -chris > > >> Date: Tue, 19 May 2015 18:38:23 +0500 Subject: Re: Problem with > >> APR library - Tomcat 7 From: sanaulla...@gmail.com To: > >> users@tomcat.apache.org > >> > >> so where did you specify your Apr lib path for tomcat? > >> > >> you can set the Apr lib path in setenv.sh in tomcat bin folder > >> > >> JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=all" > >> CATALINA_OPTS="-Djava.library.path=/usr/lib/x86_64-linux-gnu/apr/lib" > >> > >> > >> > you should verify the path and restart the tomcat again also may be you > >> need to compile the apr-utils as well > >> > >> > >> On Tue, May 19, 2015 at 6:31 PM, Dejan Stamenov > >> >>> wrote: > >> > >>> Hello Chris, > >>> > >>> First, I have downloaded the APR library from here: > >>> http://apache.sunsite.ualberta.ca/apr/apr-1.5.2.tar.gz . > >>> Following this tutorial: > >>> http://www.techsww.com/tutorials/libraries/apr/installation/installi > ng_apache_portable_runtime_library_on_ubuntu_linux.php > >>> > >>> > >>> > , I have installed this library into /usr/lib/x86_64-linux-gnu. > >>> After that, I have downloaded the tcnative library from the > >>> links Mark provided. Also, following the same links I run this > >>> config command: ./configure > >>> --with-apr=/usr/lib/x86_64-linux-gnu > >>> --with-java-home=/usr/lib/jvm/java-7-openjdk-amd64 > >>> --with-ssl=yes --prefix=/usr/lib/x86_64-linux-gnu > >>> > >>> That --prefix location is where the error log file is > >>> expecting for the library to be found. Here is the error log: > >>> > >>> May 19, 2015 2:59:58 PM org.apache.catalina.startup.Catalina > >>> load INFO: Initialization processed in 1973 ms May 19, 2015 > >>> 2:59:58 PM org.apache.catalina.core.StandardService > >>> startInternal INFO: Starting service Catalina May 19, 2015 > >>> 2:59:58 PM org.apache.catalina.core.StandardEngine > >>> startInternal INFO: Starting Servlet Engine: Apache > >>> Tomcat/7.0.52 (Ubuntu) May 19, 2015 2:59:58 PM > >>> org.apache.catalina.startup.HostConfig deployDirectory INFO: > >>> Deploying web application directory > >>> /var/lib/tomcat7/webapps/ROOT May 19, 2015 3:00:02 PM > >>> org.apache.coyote.AbstractProtocol start INFO: Starting > >>> ProtocolHandler ["http-bio-8080"] May 19, 2015 3:00:02 PM > >>> org.apache.catalina.startup.Catalina start INFO: Server > >>> startup in 4014 ms May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol pause INFO: Pausing > >>> ProtocolHandler ["http-bio-8080"] May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol pause INFO: Pausing > >>> ProtocolHandler ["http-apr-8443"] May 19, 2015 3:06:39 PM > >>> org.apache.catalina.core.StandardService stopInternal INFO: > >>> Stopping service Catalina May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol stop INFO: Stopping > >>> ProtocolHandler ["http-bio-8080"] May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol destroy INFO: Destroying > >>> ProtocolHandler ["http-bio-8080"] May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol stop INFO: Stopping > >>> ProtocolHandler ["http-apr-8443"] May 19, 2015 3:06:39 PM > >>> org.apache.coyote.AbstractProtocol destroy INFO: Destroying > >>> ProtocolHandler ["http-apr-8443"] May 19, 2015 3:07:08 PM > >>> org.apache.catalina.startup.ClassLoaderFactory validateFile > >>> WARNING: Problem with directory > >>> [/usr/share/tomcat7/common/classes], exists: [false], > >>> isDirectory: [false], canRead: [false] May 19, 2015 3:07:08 PM > >>> org.apache.catalina.startup.ClassLoaderFactory validateFile > >>> WARNING: Problem with directory [/usr/share/tomcat7/common], > >>> exists: [false], isDirectory: [false], canRead: [
Re: Problem with APR library - Tomcat 7
so where did you specify your Apr lib path for tomcat? you can set the Apr lib path in setenv.sh in tomcat bin folder JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=all" CATALINA_OPTS="-Djava.library.path=/usr/lib/x86_64-linux-gnu/apr/lib" you should verify the path and restart the tomcat again also may be you need to compile the apr-utils as well On Tue, May 19, 2015 at 6:31 PM, Dejan Stamenov wrote: > Hello Chris, > > First, I have downloaded the APR library from here: > http://apache.sunsite.ualberta.ca/apr/apr-1.5.2.tar.gz . Following this > tutorial: > http://www.techsww.com/tutorials/libraries/apr/installation/installing_apache_portable_runtime_library_on_ubuntu_linux.php > , I have installed this library into /usr/lib/x86_64-linux-gnu. > After that, I have downloaded the tcnative library from the links Mark > provided. Also, following the same links I run this config command: > ./configure --with-apr=/usr/lib/x86_64-linux-gnu > --with-java-home=/usr/lib/jvm/java-7-openjdk-amd64 > --with-ssl=yes > --prefix=/usr/lib/x86_64-linux-gnu > > That --prefix location is where the error log file is expecting for the > library to be found. > Here is the error log: > > May 19, 2015 2:59:58 PM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 1973 ms > May 19, 2015 2:59:58 PM org.apache.catalina.core.StandardService > startInternal > INFO: Starting service Catalina > May 19, 2015 2:59:58 PM org.apache.catalina.core.StandardEngine > startInternal > INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu) > May 19, 2015 2:59:58 PM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT > May 19, 2015 3:00:02 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > May 19, 2015 3:00:02 PM org.apache.catalina.startup.Catalina start > INFO: Server startup in 4014 ms > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol pause > INFO: Pausing ProtocolHandler ["http-bio-8080"] > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol pause > INFO: Pausing ProtocolHandler ["http-apr-8443"] > May 19, 2015 3:06:39 PM org.apache.catalina.core.StandardService > stopInternal > INFO: Stopping service Catalina > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol stop > INFO: Stopping ProtocolHandler ["http-bio-8080"] > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol destroy > INFO: Destroying ProtocolHandler ["http-bio-8080"] > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol stop > INFO: Stopping ProtocolHandler ["http-apr-8443"] > May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol destroy > INFO: Destroying ProtocolHandler ["http-apr-8443"] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/common/classes], > exists: [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/common], exists: > [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/server/classes], > exists: [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/server], exists: > [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/shared/classes], > exists: [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory > validateFile > WARNING: Problem with directory [/usr/share/tomcat7/shared], exists: > [false], isDirectory: [false], canRead: [false] > May 19, 2015 3:07:09 PM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib > May 19, 2015 3:07:10 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8080"] > May 19, 2015 3:07:10 PM org.apache.catalina.core.StandardService > initInternal > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > at org.apa
Re: singed code deployment
I haven't seen anything in the log related to signature verification even i wrote the wrong certificate alias in the catalina.policy file. the resultant log will be the same INFO - Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.5.1. INFO - APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. INFO - OpenSSL successfully initialized (OpenSSL 1.0.1f 6 Jan 2014) INFO - Initializing ProtocolHandler ["http-apr-9009"] INFO - Initializing ProtocolHandler ["http-bio-7443"] trustStore is: /usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US Algorithm: RSA; Serial number: 0xcf08e5c0816a5ad427ff0eb271859d0 Valid from Tue Nov 07 19:31:18 UTC 2006 until Mon Dec 31 19:40:55 UTC 2029 adding as trusted cert: Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US Algorithm: RSA; Serial number: 0x0 Valid from Tue Sep 01 00:00:00 UTC 2009 until Thu Dec 31 23:59:59 UTC 2037 adding as trusted cert: Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a Valid from Fri Oct 01 00:00:00 UTC 1999 until Wed Jul 16 23:59:59 UTC 2036 adding as trusted cert: Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP Algorithm: RSA; Serial number: 0x0 Valid from Tue Sep 30 04:20:49 UTC 2003 until Sat Sep 30 04:20:49 UTC 2023 adding as trusted cert: Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a Valid from Fri Nov 10 00:00:00 UTC 2006 until Mon Nov 10 00:00:00 UTC 2031 adding as trusted cert: Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net Algorithm: RSA; Serial number: 0x3863def8 Valid from Fri Dec 24 17:50:51 UTC 1999 until Tue Jul 24 14:15:12 UTC 2029 adding as trusted cert: Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US Algorithm: RSA; Serial number: 0x4 Valid from Mon Jun 21 04:00:00 UTC 1999 until Sun Jun 21 04:00:00 UTC 2020 adding as trusted cert: Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d Valid from Fri Nov 17 00:00:00 UTC 2006 until Wed Jul 16 23:59:59 UTC 2036 adding as trusted cert: Subject: EMAILADDRESS=i...@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network Issuer: EMAILADDRESS=i...@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network Algorithm: RSA; Serial number: 0x1 Valid from Sat Jun 26 00:19:54 UTC 1999 until Wed Jun 26 00:19:54 UTC 2019 adding as trusted cert: Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Algorithm: RSA; Serial number: 0x0 Valid from Tue Sep 01 00:00:00 UTC 2009 until Thu Dec 31 23:59:59 UTC 2037 adding as trusted cert: Subject: EMAILADDRESS=personal-freem...@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA Issuer: EMAILADDRESS=personal-freem...@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e
Re: singed code deployment
>Can you verify that the certificate is in there by doing "keytool >- -list .../cacerts"? keytool -v --list -keystore /usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts |grep "codesigntest" Enter keystore password: Alias name: codesigntest Owner: CN=codesigntest >> I mentioned the same alias in in catalina.policy grant signedBy "codesigntest" >Okay. >So that certificate directly-signed your JAR? >At runtime, do you get an error? What's the full message and stack trace? I have signed the ams_ear.ear using jar signer prior to deploying it using the following command root@pay:/home/sanaullah# jarsigner -verbose -keystore /home/sanaullah/codesigntest.jks -storepass test /home/sanaullah/apache-tomee-webprofile-2.0.0-SNAPSHOT/apps/ams_ear.ear codesigntest updating: META-INF/CODESIGN.SF updating: META-INF/CODESIGN.RSA adding: lib/ signing: lib/javax.json.jar signing: lib/javax.jms-api.jar signing: lib/ams_persistence.jar signing: lib/httpclient-4.3.4.jar signing: lib/httpcore-4.3.2.jar signing: lib/commons-logging-1.1.3.jar signing: lib/commons-codec-1.6.jar signing: lib/nekohtml-1.9.21.jar signing: lib/xercesImpl-2.10.0.jar signing: lib/xml-apis-1.4.01.jar signing: lib/commons-io-2.4.jar signing: lib/jcl-over-slf4j-1.7.5.jar signing: lib/slf4j-api-1.7.5.jar signing: lib/slf4j-log4j12-1.7.5.jar signing: lib/log4j-1.2.17.jar signing: lib/commons-lang3-3.1.jar signing: lib/jackson-core-2.4.0.jar signing: lib/jackson-databind-2.4.0.jar signing: lib/jackson-annotations-2.4.0.jar signing: lib/spring-integration-http-4.0.4.RELEASE.jar signing: lib/spring-webmvc-4.0.7.RELEASE.jar signing: lib/spring-beans-4.0.7.RELEASE.jar signing: lib/spring-core-4.0.7.RELEASE.jar signing: lib/spring-context-4.0.7.RELEASE.jar signing: lib/spring-aop-4.0.7.RELEASE.jar signing: lib/spring-expression-4.0.7.RELEASE.jar signing: lib/spring-web-4.0.7.RELEASE.jar signing: lib/rome-fetcher-1.0.0.jar signing: lib/jdom-1.0.jar signing: lib/rome-1.0.0.jar signing: lib/spring-integration-core-4.0.4.RELEASE.jar signing: lib/spring-tx-4.0.7.RELEASE.jar signing: lib/spring-retry-1.1.1.RELEASE.jar signing: lib/spring-messaging-4.0.7.RELEASE.jar signing: lib/spring-integration-jdbc-4.0.4.RELEASE.jar signing: lib/spring-jdbc-4.0.7.RELEASE.jar signing: lib/guava-16.0.1.jar signing: lib/spring-integration-stream-4.0.4.RELEASE.jar signing: lib/spring-integration-ws-4.0.4.RELEASE.jar signing: lib/spring-ws-core-2.2.0.RELEASE.jar signing: lib/spring-xml-2.2.0.RELEASE.jar signing: lib/spring-oxm-4.0.7.RELEASE.jar signing: lib/spring-aspects-4.0.7.RELEASE.jar signing: lib/aspectjweaver-1.8.2.jar signing: lib/spring-orm-4.0.7.RELEASE.jar signing: lib/aspectjrt-1.8.2.jar signing: lib/spring-integration-ftp-4.0.4.RELEASE.jar signing: lib/commons-net-3.3.jar signing: lib/spring-integration-file-4.0.4.RELEASE.jar signing: lib/spring-context-support-4.0.7.RELEASE.jar signing: lib/spring-integration-sftp-4.0.4.RELEASE.jar signing: lib/jsch-0.1.51.jar signing: ams_war.war signing: ams_ejb.jar signing: log4j.properties jar signed. Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-11-02) or after any future revocation date. Regards, Sanaullah On Thu, Feb 19, 2015 at 9:09 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 2/19/15 10:28 AM, Sanaullah wrote: > > I have imported the public key (singed certificate) of the code > > signing certificate using keytool to JVM cacerts > > "/usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts" and certificate > > alias name is "codesigntest" > > Can you verify that the certificate is in there by doing "keytool > - -list .../cacerts"? > > > I mentioned the same alias in in catalina.policy grant signedBy > > "codesigntest" > > Okay. > > So that certificate directly-signed your JAR? > > At runtime, do you get an error? What's the full message and stack trace? > > Thanks, > - -chris > > > On Thu, Feb 19, 2015 at 8:13 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sanaullah, > > > > On 2/13/15 12:48 PM, Sanaullah wrote: > >>>> I have signed the ear package using jar signer and start the > >>>> tomee using ./startup.sh -security and also edit the > >>>> catalina.policy file looks like below. > >>>> > >>>> I am confused here, how code sign verification process is > >>>> done? if the code sign certificate is not the trustst
Re: singed code deployment
Hey Chris, I have imported the public key (singed certificate) of the code signing certificate using keytool to JVM cacerts "/usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts" and certificate alias name is "codesigntest" I mentioned the same alias in in catalina.policy grant signedBy "codesigntest" Regards, Sanaullah On Thu, Feb 19, 2015 at 8:13 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 2/13/15 12:48 PM, Sanaullah wrote: > > I have signed the ear package using jar signer and start the tomee > > using ./startup.sh -security and also edit the catalina.policy > > file looks like below. > > > > I am confused here, how code sign verification process is done? if > > the code sign certificate is not the truststore still the tomcat > > server will start? or it stops booting the application? > > > > I haven't seen anything in the log related to code sign, how can i > > verify this ? > > I'm no expert in use of a security manager or signed code, but where > is your trust store located? How are you telling the JVM about where > to find it? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU5f2SAAoJEBzwKT+lPKRY7QwP/A1ErRELoaHDConRnqtC9sQf > Ga9zopcoFwvb+85ei/UxjmjE1IaoxkCB7QLX3tGI36lz+RYc8nBa1aS0IN9qpDEM > 2qoMjKAwJqsG1EZOhVMq0liTlUnaKzb2UIh75daZlx6aaMjQu9oiLyRdwkEIkN73 > 71v4hlLYMhg1HbxDPbyswn32fyQYbYk9RAi0XnU/dHISZSkQVaRc2LuQoIXAVIba > iSzPrHQfGBA4HdQexRM5E58T9uLR8Q2ducDD2ybubrwYfZILsywRfBtIg256PS69 > HSSyXUQsliXaRWX6Z+wpR2XWcslAUd9jBy0OQYJBMqRR9vvJgHaC8sqMbCxZI6+9 > i8j+l3HXjZ/nTeHDJg/0R5VG5fDe1q99/I/Wgj6834/3kV5SOY5hnr+LGsV8xwcK > CGj5+PPu6VqRaxIIMSf0qSz207aLP6GhXvHtvJvJJSZ1JWTaYoNTkf/Wdit/xqSJ > uIbLbKhYyzhyy1rEUowcKD52nSbhIr96fXnt72zgwWKwjKjxbTesoSf4CAQ2r0YJ > OpFPluD7VOm+QvfQyqYvUptfaDfOMYpl0zmmsGhETl5a58HddTx8KmQmEF1I9zpW > Ws28KkU8P7l29bqJJULNbyjohFjuUEzu+2X4hZ0XGpCJje+2NL6SZyuIEwInrIbw > BTz4sWkhCjS0QdhrxIMM > =Z3Qo > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Fwd: singed code deployment
Thanks David, I think the security Manager is the same as tomcat[1] but need to get some clue on how code signature verification is done? tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html Regards, Sanaullah On Thu, Feb 19, 2015 at 7:29 PM, David kerber wrote: > On 2/19/2015 8:56 AM, Sanaullah wrote: > >> Any one there to help me on this ? >> > > I don't think there are many tomee people on this list, so you might get > better responses somewhere else. > > >> >> Regards, >> Sanaullah >> -- Forwarded message -- >> From: Sanaullah >> Date: Fri, Feb 13, 2015 at 10:48 PM >> Subject: singed code deployment >> To: Tomcat Users List >> >> >> Hi, >> >> I have signed the ear package using jar signer and start the tomee using >> ./startup.sh -security and also edit the catalina.policy file looks >> below. >> >> I am confused here, how code sign verification process is done? if the >> code >> sign certificate is not the truststore still the tomcat server will start? >> or it stops booting the application? >> >> I haven't seen anything in the log related to code sign, how can i verify >> this ? >> > > ... > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Fwd: singed code deployment
Any one there to help me on this ? Regards, Sanaullah -- Forwarded message -- From: Sanaullah Date: Fri, Feb 13, 2015 at 10:48 PM Subject: singed code deployment To: Tomcat Users List Hi, I have signed the ear package using jar signer and start the tomee using ./startup.sh -security and also edit the catalina.policy file looks below. I am confused here, how code sign verification process is done? if the code sign certificate is not the truststore still the tomcat server will start? or it stops booting the application? I haven't seen anything in the log related to code sign, how can i verify this ? grant signedBy "codesigntest", codeBase "file:${catalina.base}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/apps/ams_ear/ams_ear.ear" { permission java.security.AllPermission; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/apps/ams_ear/*" { permission java.security.AllPermission; }; Regards, Sanaullah
singed code deployment
Hi, I have signed the ear package using jar signer and start the tomee using ./startup.sh -security and also edit the catalina.policy file looks like below. I am confused here, how code sign verification process is done? if the code sign certificate is not the truststore still the tomcat server will start? or it stops booting the application? I haven't seen anything in the log related to code sign, how can i verify this ? grant signedBy "codesigntest", codeBase "file:${catalina.base}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/apps/ams_ear/ams_ear.ear" { permission java.security.AllPermission; }; grant signedBy "codesigntest", codeBase "file:${catalina.home}/apps/ams_ear/*" { permission java.security.AllPermission; }; Regards, Sanaullah
Re: SSL issue in tomcat
then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time. try to connect the server from localhost using " openssl s_client -connect hostname:8443 -debug " may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y wrote: > Got another issue...Tomcat is working fine after restart but it cannot last > long. > Now I cannot access https pages with any browsers. I didn't find anything > useful in logs. > After a restart, it works well again. > > port="8080" protocol="HTTP/1.1" >connectionTimeout="2" >redirectPort="8443" /> > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" >clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="lib/cert/.keystore" > keystorePass="" /> > > > > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah wrote: > > > its not necessary to have ciphers properties but if you want to restrict > > the ciphers then you can use this property. > > > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y wrote: > > > > > Thank you all. Now it is working fine. > > > > > > protocol="org.apache.coyote.http11.Http11Protocol" > > >maxThreads="150" SSLEnabled="true" scheme="https" > > > secure="true" > > >clientAuth="false" sslProtocol="TLS" > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > > > keystoreFile="lib/cert/.keystore" keystorePass="" > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" /> > > > > > > By the way, do I need "ciphers" properties here? > > > > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > > > ch...@christopherschultz.net> wrote: > > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > > Hash: SHA256 > > > > > > > > Jason, > > > > > > > > On 1/20/15 4:17 AM, Jason Y wrote: > > > > > Recently my application cannot be accessible in browser with https > > > > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > > > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > > > > > 3.0. > > > > > > > > > > > > > > connectionTimeout="2" redirectPort="8443" /> > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > > > > keystoreFile="xxx" keystorePass="xxx" /> > > > > protocol="AJP/1.3" redirectPort="8443" /> > > > > > > > > None of the responses you have gotten thus far are useful in any way. > > > > > > > > Your configuration looks fine to me: sslEnabledProtocols is the way > to > > > > go, although in recent versions of Tomcat the default is NOT to > > > > include any "SSL" protocols and only use the "TLS" ones, so if you > are > > > > running something recent, you should be okay. > > > > > > > > > Then I can open my application https link in browser. BUT, good > > > > > time never lasts too long, after several hours, I failed to access > > > > > my https link again. > > > > > > > > What kinds of errors do you get? What do the logs say? What are the > > > > URLs you are using? > > > > > > > > > Anyone has any ideas about this? please share your suggestions...My > > > > > tomcat version is 7.0.55 > > > > > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you > > > > should definitely keep your above configuration. There is no need to > > > > add a trust store or cipher specification to that. > > > > > > > > - -chris > > > > -BEGIN PGP SIGNATURE- > > > > Version: GnuPG v1 > > > > Comment: GPGTools - http://gpgtools.org > > > > > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty > > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J > > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT > > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG > > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH > > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ > > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw > > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM > > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 > > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq > > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo > > > > G5/ksEFNFSc9+yQSSC1H > > > > =PVop > > > > -END PGP SIGNATURE- > > > > > > > > - > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > >
Re: SSL issue in tomcat
its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y wrote: > Thank you all. Now it is working fine. > > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" >clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="lib/cert/.keystore" keystorePass="" > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" /> > > By the way, do I need "ciphers" properties here? > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Jason, > > > > On 1/20/15 4:17 AM, Jason Y wrote: > > > Recently my application cannot be accessible in browser with https > > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > > > 3.0. > > > > > > > > connectionTimeout="2" redirectPort="8443" /> > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > > keystoreFile="xxx" keystorePass="xxx" /> > > protocol="AJP/1.3" redirectPort="8443" /> > > > > None of the responses you have gotten thus far are useful in any way. > > > > Your configuration looks fine to me: sslEnabledProtocols is the way to > > go, although in recent versions of Tomcat the default is NOT to > > include any "SSL" protocols and only use the "TLS" ones, so if you are > > running something recent, you should be okay. > > > > > Then I can open my application https link in browser. BUT, good > > > time never lasts too long, after several hours, I failed to access > > > my https link again. > > > > What kinds of errors do you get? What do the logs say? What are the > > URLs you are using? > > > > > Anyone has any ideas about this? please share your suggestions...My > > > tomcat version is 7.0.55 > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you > > should definitely keep your above configuration. There is no need to > > add a trust store or cipher specification to that. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo > > G5/ksEFNFSc9+yQSSC1H > > =PVop > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
Re: SSL issue in tomcat
Please follow the Apache document for the connector configuration. Here is the sample connector configuration [1] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html On Tue, Jan 20, 2015 at 2:17 PM, Jason Y wrote: > Hi folks, > > Recently my application cannot be accessible in browser with https version. > I think it is due to vulnerability in ssl 3.0 issue. > > I checked my tomcat configuration and replaced sslProtocol="TLS" with > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0. > > >connectionTimeout="2" > >redirectPort="8443" /> > > > protocol="org.apache.coyote.http11.Http11Protocol" > >maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > >clientAuth="false" > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx" > > keystorePass="xxx" /> > > > > > Then I can open my application https link in browser. BUT, good time never > lasts too long, after several hours, I failed to access my https link > again. > > Anyone has any ideas about this? please share your suggestions...My tomcat > version is 7.0.55 > > Thank you all very much. > > On Tue, Jan 20, 2015 at 3:56 PM, Jason Y wrote: > > > Hi folks, > > > > Recently my application cannot be accessible in browser with https > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" with > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0. > > > > >>connectionTimeout="2" > >>redirectPort="8443" /> > >> >> protocol="org.apache.coyote.http11.Http11Protocol" > >>maxThreads="150" SSLEnabled="true" scheme="https" > >> secure="true" > >>clientAuth="false" > >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx" > >> keystorePass="xxx" /> > >> > > > > > > Then I can open my application https link in browser. BUT, good time > never > > lasts too long, after several hours, I failed to access my https link > > again. > > > > Anyone has any ideas about this? please share your suggestions...My > tomcat > > version is 7.0.55 > > > > Thank you all very much. > > >
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
> protocol="org.apache.coyote. http11.Http11Protocol" > SSLEnabled="true" maxThreads="200" scheme="https" > secure="true" keystoreFile="/home/myuser/key.keystore" > keystorePass="mypass" clientAuth="false" sslProtocol="TLS" > /> May be its due to the truststore file ? I haven't seen any truststore file in your connector configuration On Wed, Jan 14, 2015 at 11:18 PM, Alexandre Lima wrote: > On 13 January 2015 at 18:20, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Alexandre, > > > > On 1/13/15 2:41 PM, Alexandre Lima wrote: > > > On 13 January 2015 at 16:11, Christopher Schultz < > > > ch...@christopherschultz.net> wrote: > > > > > > Alexandre, > > > > > > On 1/13/15 1:37 PM, Alexandre Lima wrote: > > Hello! This is the first time I'm using tomcat, so I'm a > > little bit lost... > > > > > > Welcome! Configuring SSL always turns out to be a pain in the > > > neck. > > > > > Using the tutorials, I could make the server and the > > application I want to run with it work. The only modification > > I did until now was changing the http port from 8080 to 80, I > > did that changing the http conector on servers.xml, enabling > > authbind and executing the folowing commands: > > > > sudo touch /etc/authbind/byport/80 sudo chmod 500 > > /etc/authbind/byport/80 sudo chown tomcat7 > > /etc/authbind/byport/80 > > > > So, the server and the application I want to use with it are > > actually working on port 80 > > > > > > You've confirmed this? I've never used authbind before, so I just > > > wanted to make sure that you have Tomcat working properly with > > > non-SSL before you try to add SSL. > > > > > , but the next and last step, which is enabling an SSL > > connection, isn't working. > > > > What I did following the site's tutorial was: created my > > self signed certificate with keytools and put it on > > /home/myuser/key.keystore > > > > > > Can you outline the steps you took? Where is your keystore? > > > > > Additionally, I've created the folowing conector: > > > > > protocol="org.apache.coyote.http11.Http11Protocol" > > SSLEnabled="true" maxThreads="200" scheme="https" > > secure="true" keystoreFile="/home/myuser/key.keystore" > > keystorePass="mypass" clientAuth="false" sslProtocol="TLS" > > /> > > > > > > That looks good so far. > > > > > Saved it, restarted server and accessed https://myip:8443, > > but it isn't working. Chrome says "No data recieved" and > > "Unable to load the webpage because the server sent no data > > and "Error code: ERR_EMPTY_RESPONSE". > > > > Firefox says that the connection was reset while the page was > > being loaded. > > > > That's where I am now. I don't know what to try anymore. > > > > > > Try: > > > > > > $ telnet localhost 8443 > > > > > > (on the server with Tomcat running) > > > > > > That will tell you if the port is open (it should be, otherwise > > > you'd be getting different errors from Chrome and ff) and what, if > > > anything, gets dumped to it when you connect. > > > > > > If you get a connection and nothing happens, try submitting a > > > request like this: > > > > > > $ telnet localhost 8443 GET / > > > > > > [output goes here] > > > > > > Post the results of the above if you get anything. > > > > > > Dumb question: you restarted Tomcat after updating server.xml, > > > right? > > > > > > -chris > > >> > > >> - > > >> > > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > >> > > > Thank you for the reply Christopher! I've used the command: keytool > > > -genkey -alias tomcat -keyalg RSA -keystore > > > /home/myuser/key.keystore to generate the keystore. I should put > > > the keystore in some special directory or this one is fine? So, > > > after, requesting: telnet localhost 8443 > > > > > > I got some strange stuff: > > > > > > ~$ telnet localhost 8443 Trying ::1... Connected to localhost. > > > Escape character is '^]'. GET / ^U^C^A^@^B^B > > > > > > > > > > > > And yes, I've restarted it :) > > > > Good. Now, try this: > > > > $ openssl s_client -debug -connect localhost:8443 > > > > Assuming that the server is running and listening for SSL connections, > > s_client should be able to connect, and it should give you tons of > > good information about what's happening, there. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > > > iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr > > AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke > > +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
Re: "Invalid Server SSL Protocol" on Tomcat 8.0.15 with Tomcat Native library 1.1.32 and APR 1.5.1
Hi Mike. here is my working configuration with APR. I hope this will work for you. Regards, Sanaullah On Thu, Dec 18, 2014 at 6:15 AM, Mike Wertheim wrote: > > I should have included this in the previous message. > > The AprLifecycleListener is declared in server.xml like this: >SSLEngine="on" /> > > > > > On Wed, Dec 17, 2014 at 5:12 PM, Mike Wertheim wrote: > > > > I'm trying to upgrade from Tomcat 7.0.41 with APR to Tomcat 8.0.15 with > > APR. (I'm using JDK 1.8.0.25 on CentOS.) > > > > My first step was to upgrade to Tomcat Native library 1.1.32 and APR > 1.5.1 > > while still using Tomcat 7.0.41. This combination works great. My > webapp > > starts up and is accessible using either SSL or non-SSL. > > > > Next I upgraded to Tomcat 8.0.15 (again with Tomcat Native library 1.1.32 > > and APR 1.5.1). Tomcat 8.0.15 starts up, and the first lines of > > catalina.out are a message that shows that Tomcat Native library 1.1.32 > and > > APR 1.5.1 are indeed in use. My webapp starts up and is accessible using > > non-SSL requests, but SSL requests don't work. > > > > When I saw that SSL wasn't working, I looked in catalina.out and saw > this: > > > > org.apache.coyote.AbstractProtocol.init Failed to initialize end point > > associated with ProtocolHandler ["http-apr-8443"] > > java.lang.Exception: Unable to create SSLContext. Check that SSLEngine > is > > enabled in the AprLifecycleListener, the AprLifecycleListener has > > initialised correctly and that a valid SSLProtocol has been specified > > at > > org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:532) > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730) > > [...] > > Caused by: java.lang.Exception: Invalid Server SSL Protocol > > (error::lib(0):func(0):reason(0 > > )) > > at org.apache.tomcat.jni.SSLContext.make(Native Method) > > at > > org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:527) > > > > > > The SSL Connector in server.xml looks like this: > > > maxKeepAliveRequests="3" keepAliveTimeout="3000" > > scheme="https" secure="true" SSLEnabled="true" > > SSLCertificateFile="/home/scuser/ssl/cert.crt" > > SSLCertificateKeyFile="/home/scuser/ssl/cert.key" > > > > SSLCertificateChainFile="/home/scuser/ssl/intermediateCA.cer" > > clientAuth="false" sslProtocol="TLS"/> > > > > Can anyone see what might be going wrong? > > > > > > Thanks, > > Mike > > > > >
Re: APR with PKCS11 support
Hi Chris, I have attached the diff.let me know if its ok? Regards, Sanaullah On Fri, Nov 21, 2014 at 2:08 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 11/18/14 10:26 PM, Sanaullah wrote: > > Hi Chris, > > > > Engine is loaded Successfully. the issue is with tcnative. > > tcnative was not loading any engine and it was due to > > HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to > > call ENGINE_load_builtin_engines. I made one change and in ssl.c of > > tomcat-native-1.1.31 > > > > original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES > > > > Changed to > > > > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); > > > > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES > > ENGINE_load_builtin_engines(); #endif > > Can you give me a patch in diff -U form? I'd like to take a look at it > formally. > > Thanks for doing the digging to figure out how to make this work. I > don't have a non-standard engine available to play with. > > Thanks, > - -chris > > > On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sanaullah, > > > > On 11/14/14 10:04 PM, Sanaullah wrote: > >>>> The Engine name is correct its "LunaCA3" Here is the code > >>>> snippet from the openssl for the confirmation. > >>>> > >>>> openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID > >>>> "LunaCA3" > >>>> > >>>> I think the issue is with static and shared libraries of > >>>> openssl. > > > > It could be. Since you are building on *NIX, you should probably > > be using dynamically-linked shared-libraries. But you have to be > > careful about the load-ordering if you are using an OpenSSL that is > > not the system default (e.g. in /usr/lib). > > > >>>> if openssl build as shared then this LunaCA3 engine is not > >>>> working for nodejs and even for Apache as well both required > >>>> openssl to build static. > > > > Interesting... > > > >>>> I tried to follow the Build document of tomcat native. > >>>> Building statically linked library on Unixes > >>>> > >>>> > >>>> To statically link apr and openssl dependencies use the > >>>> following procedure. > >>>> > >>>> You will need to build static version of openssl library. > >>>> > >>>>> ./config --prefix=~/natives/openssl no-shared -fPIC make > >>>>> make install_sw > >>>> Apr by default builds both static and dynamic libraries. > >>>> > >>>>> ./configure --prefix=~/natives/apr make make install > >>>> > >>>> After that edit the ~/natives/apr/lib/libapr-1.la file and > >>>> comment or delete the following sections: dlname='...' and > >>>> library_names='...' This is needed so that libtool picks the > >>>> static version of the library. > >>>> > >>>> Build Tomcat native by executing > >>>> > >>>>> ./configure --with-apr=~/natives/apr > >>>>> --with-ssl=~/natives/openssl > >>>> --prefix=~/natives/tomcat > >>>>> make make install > > > > You're reaching the limits of my knowledge about building the > > whole bundle statically. I'll ping Rainer (CC'd here) who knows > > more than I do. > > > >>>> here is something strange, Openssl successully build and > >>>> install with -fPIC but tcnative still give me error. > >>>> > >>>> /usr/bin/ld: > >>>> /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation > >>>> R_X86_64_32 against `.rodata' can not be used when making a > >>>> shared object; recompile with -fPIC > >>>> /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad > >>>> value collect2: error: ld returned 1 exit status make[1]: > >>>> *** [libtcnative-1.la] Error 1 make[1]: Leaving directory > >>>> `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** > >>>> [all-recursive] Error 1 > >>>> > >>>> I am not sure what to do here ? > >
Re: APR with PKCS11 support
Hi Chris, Engine is loaded Successfully. the issue is with tcnative. tcnative was not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to call ENGINE_load_builtin_engines. I made one change and in ssl.c of tomcat-native-1.1.31 original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES Changed to #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif Regards, Sanaullah On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 11/14/14 10:04 PM, Sanaullah wrote: > > The Engine name is correct its "LunaCA3" Here is the code snippet > > from the openssl for the confirmation. > > > > openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID > > "LunaCA3" > > > > I think the issue is with static and shared libraries of openssl. > > It could be. Since you are building on *NIX, you should probably be > using dynamically-linked shared-libraries. But you have to be careful > about the load-ordering if you are using an OpenSSL that is not the > system default (e.g. in /usr/lib). > > > if openssl build as shared then this LunaCA3 engine is not working > > for nodejs and even for Apache as well both required openssl to > > build static. > > Interesting... > > > I tried to follow the Build document of tomcat native. Building > > statically linked library on Unixes > > > > > > To statically link apr and openssl dependencies use the following > > procedure. > > > > You will need to build static version of openssl library. > > > >> ./config --prefix=~/natives/openssl no-shared -fPIC make make > >> install_sw > > Apr by default builds both static and dynamic libraries. > > > >> ./configure --prefix=~/natives/apr make make install > > > > After that edit the ~/natives/apr/lib/libapr-1.la file and comment > > or delete the following sections: dlname='...' and > > library_names='...' This is needed so that libtool picks the > > static version of the library. > > > > Build Tomcat native by executing > > > >> ./configure --with-apr=~/natives/apr > >> --with-ssl=~/natives/openssl > > --prefix=~/natives/tomcat > >> make make install > > You're reaching the limits of my knowledge about building the whole > bundle statically. I'll ping Rainer (CC'd here) who knows more than I do. > > > here is something strange, Openssl successully build and install > > with -fPIC but tcnative still give me error. > > > > /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): > > relocation R_X86_64_32 against `.rodata' can not be used when > > making a shared object; recompile with -fPIC > > /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value > > collect2: error: ld returned 1 exit status make[1]: *** > > [libtcnative-1.la] Error 1 make[1]: Leaving directory > > `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** > > [all-recursive] Error 1 > > > > I am not sure what to do here ? > > Hmm. Let's see if Rainer (or anyone else!) replies. > > - -chris > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx > DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP > pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR > mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa > PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD > qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw > jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF > OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m > u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+ > LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le > 1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn > xIF9OeYjsCFOhml42lpV > =j3PO > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: APR with PKCS11 support
Hi Chris, The Engine name is correct its "LunaCA3" Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID "LunaCA3" I think the issue is with static and shared libraries of openssl. if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. > ./config --prefix=~/natives/openssl no-shared -fPIC > make > make install_sw Apr by default builds both static and dynamic libraries. > ./configure --prefix=~/natives/apr > make > make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing > ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat > make > make install here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Regards, Sanaullah On Sat, Nov 15, 2014 at 7:16 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 10/29/14 9:54 AM, Sanaullah wrote: > > I again started working on SSLEngine with safenet and i need some > > help, how to enable the debugging? I configure the engine as > > "LunaCA3". > > > > > SSLEngine="LunaCA3" /> > > > > Here is error log after starting the server. > > > > Oct 29, 2014 1:40:21 PM > > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR > > based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. > > Oct 29, 2014 1:40:22 PM > > org.apache.catalina.core.AprLifecycleListener init INFO: APR > > capabilities: IPv6 [true], sendfile [true], accept filters [false], > > random [true]. Oct 29, 2014 1:40:22 PM > > org.apache.catalina.core.AprLifecycleListener lifecycleEvent > > SEVERE: Failed to initialize the SSLEngine. > > org.apache.tomcat.jni.Error: 70023: This function has not been > > implemented on this platform > > So the error code 70023 is (at least on my Linux system) equal to the > APR error code with the label APR_ENOTIMPL. I can see that in a few > places in the native implementation of the "initialize" method: > > Starting on line native/src/ssl.c:679: > if ((ee = ENGINE_by_id(J2S(engine))) == NULL > && (ee = ssl_try_load_engine(J2S(engine))) == NULL) > err = APR_ENOTIMPL; > else { > if (strcmp(J2S(engine), "chil") == 0) > ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, > 0, 0); > if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL)) > err = APR_ENOTIMPL; > } > > Again, starting on native/src/ssl.c:711: > SSL_TMP_KEYS_INIT(r); > if (r) { > TCN_FREE_CSTRING(engine); > ssl_init_cleanup(NULL); > tcn_ThrowAPRException(e, APR_ENOTIMPL); > return APR_ENOTIMPL; > } > > So, either the engine cannot be loaded, or we can't call > ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the > key init that's failing, given that you are trying to use a special > engine. > > Are you comfortable modifying the code for tcnative? If you are on a > UNIX platform, (re-)compilation is pretty easy. You can add some code > to dump-out the state of things while the code executes. > > I noticed at some point (re-reading the thread) that you were using > "SSLCryptoDevice LunaCA" but then somehow you and I started using > "LunaCA3". Have you tried with "LunaCA" (without the 3)? > > When you can get httpd to do this for you, do you have to modify the > LD_LIBRARY_PATH or p
Re: APR with PKCS11 support
I again started working on SSLEngine with safenet and i need some help, how to enable the debugging? I configure the engine as "LunaCA3". Here is error log after starting the server. Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Oct 29, 2014 1:40:22 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"] java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised cor$ at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines) at org.apache.tomcat.jni.SSLContext.make(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498) ... 16 more Regards, Sanaullah On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sunaullah, > > On 7/26/14, 4:50 AM, Sanaullah wrote: > > I tried that configuration but getting errrors. > > I just want you to know that you haven't been forgotten: I'm on > vacation for a bit but I'd really like to take a look at this issue > when I return. > > In the meantime, feel free to check
Re: Does APR/tomcat-native support TLS 1.2?
I face the same issue with tomcat 7.0.47. you can find the details below, how i apply the patches and things get worked. By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(0003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ..T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..* 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a .. How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, Sanaullah On Tue, Sep 2, 2014 at 10:34 PM, Amos Anderson wrote: > Hello Tomcat Users -- > > I posted this question elsewhere yesterday and then realized I should have > sent it to this mailing list. > > > I'm trying to configure tomcat7 to support TLS 1.2 (which was released 6 > years ago). I can get TLS 1.0 to work, but NIST [says][1] that I "shall > not" use TLS 1.0. I know I can use JSSE instead to get TLS 1.2, but why > can't I get APR to support it? A few online guides I've read recommend APR > over JSSE, it looks like I get better ciphers out of the box with > APR/OpenSSL than JSSE, and I can use cipher suites with OpenSSL so it seems > easier to maintain. > > According to [this][2] bug report it
Re: APR with PKCS11 support
Hi Chris, did you get any chance to take a look into the issue ? Regards, Sanaullah On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sunaullah, > > On 7/26/14, 4:50 AM, Sanaullah wrote: > > I tried that configuration but getting errrors. > > I just want you to know that you haven't been forgotten: I'm on > vacation for a bit but I'd really like to take a look at this issue > when I return. > > In the meantime, feel free to check out the tcnative code if you want > to see what is going on, or someone else could chime-in and give an > opinion (or -- *gasp* -- a proposed patch!). > > Thanks, > - -chris > > > NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR > > version 1.4.6. Jul 23, 2014 3:06:40 AM > > org.apache.catalina.core.AprLifecycleListener init INFO: APR > > capabilities: IPv6 [true], sendfile [true], accept filters [false], > > random [true]. Jul 23, 2014 3:06:40 AM > > org.apache.catalina.core.AprLifecycleListener lifecycleEvent > > SEVERE: Failed to initialize the SSLEngine. > > org.apache.tomcat.jni.Error: 70023: This function has not been > > implemented on this platform at > > org.apache.tomcat.jni.SSL.initialize(Native Method) at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > > org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) > > > > > at > > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) > > > > > at > > > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) > > > > > at > > > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > > > > > at > > > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > > > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at > > org.apache.catalina.startup.Catalina.load(Catalina.java:663) at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > > at java.lang.reflect.Method.invoke(Method.java:606) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > > > > > > > On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sanaullah, > > > > On 7/25/14, 9:16 AM, Sanaullah wrote: > >>>> httpd is working with HSM with addition of parameter > >>>> SSLCryptoDevice=LunaCA but when i try the same parameter in > >>>> tomEE. TomEE don't recognized this parameters. > >>>> > >>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} > >>>> Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find > >>>> a matching property. > >>>> > >>>> Any Idea? > > > > Try setting SSLEngine="LunaCA3" instead of SSLEngine="on" in your: > > > > > SSLEngine="on" /> > > > > -chris > > > >>>> On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Sanaullah, > >>>> > >>>> On 7/10/14, 4:19 AM, Sanaullah wrote: > >>>>>>> is there a way i can use pkcs11 supported > >>>>>>> SmartCard/token when using APR based SSL Connector in > >>>>>>> tomcat ? PEM encoded certificates and keys are stored > >>>>>>> in smartcard. > >>>>>>> > >>>>>>> I know BIO/NIO connectors supported token/HSM but I am > >>>>>>> looking for APR based connectors? > >>>> > >&
Re: JSSE or APR
you can verify this in your connector configuration and also in the logs. Here are the connector attributes. org.apache.coyote.http11.Http11Protocol - blocking Java connector org.apache.coyote.http11.Http11NioProtocol - non blocking Java connector org.apache.coyote.http11.Http11AprProtocol - the APR/native connector. [1] http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Regards, Sanaullah On Wed, Aug 20, 2014 at 9:08 PM, John McLean wrote: > I'm reading through the following guide: > > > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority > > and i'm bit confused about whether I should be using (am using) JSSE or > APR, this has implications for how I adjust the tomcat config file. > > I used the following ubuntu guide to create my csr: > > https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html > > This used openssl so does than mean I'm using APR? > > Other posts seem to point out that chances are, i'm using JSSE, if I don't > know better, which I think is where I am, hence my confusion. > > I guess what I'm asking is, how do I confirm if I am using JSSE or APR ? > > Thanks > John >
Re: JKS keystore password Encryption
Hi Chris, I don't want to pass the audit. I am just curious why Jboss implemented that ? and whats the purpose of SRP protocol implementation just to pass the audit? [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol Regards, Sanaullah On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 8/4/14, 9:19 PM, Sanaullah wrote: > > Thanks to all. > > > > I was looking something similar to this [1] which is implemented in > > JBoss. > > > > [1] > > > https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html > > Congratulations: > > > you'll pass a security audit that flags this as a > problem. > > Fail: you have moved your password to another file, and not gained a > single thing. > > You may now celebrate the incompetence of both your auditors and > engineering staff for sidestepping an issue rather than soberly > dealing with it head-on. > > This is why formal risk analyses are much better than crappy > script-based security audits. First of all, they force you to be much > more creative than a script you paid someone a huge sum of money to > run that only tells you obvious things that a light reading of any > OWASP documentation would already tell you, *and* it gives you the > opportunity to say "this thing doesn't matter at all, and even if we > *did* do something about it, it wouldn't make any damn bit of difference." > > It's time engineering teams started teaching management about security. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi > Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s > jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r > 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM > QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC > KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8 > oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5 > qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN > j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft > cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45 > xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW > jlzixmv5BOQjMFUJActT > =yOJq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: JKS keystore password Encryption
Thanks to all. I was looking something similar to this [1] which is implemented in JBoss. [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html On Tue, Aug 5, 2014 at 3:43 AM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Sanaullah, > > > On 4.8.2014 17:26, Sanaullah wrote: > >> I will also search the archive as well. >> > > You may find Wiki also useful: > > http://wiki.apache.org/tomcat/FAQ/Password > > -Ognjen > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: JKS keystore password Encryption
Thanks Andre and Ulises. I will also search the archive as well. Regards, Sanaullah On Mon, Aug 4, 2014 at 8:07 PM, Ulises González Horta wrote: > On Mon 04 Aug 2014 09:17:47 André Warnier escribió: > > And if someone non-authorized has access to Tomcat's server.xml, then you > > have bigger problems than a non-encrypted password. > > Maybe the best solution could be put the right permission to sever.xml and > do > not give the root password to other users > > > Salu2, Ulinx > "En un problema con n ecuaciones > siempre habrá al menos n+1 incógnitas" > Linux user 366775 > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
JKS keystore password Encryption
Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? Regards, Sanaullah
Re: APR with PKCS11 support
I tried that configuration but getting errrors. NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 7/25/14, 9:16 AM, Sanaullah wrote: > > httpd is working with HSM with addition of parameter > > SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. > > TomEE don't recognized this parameters. > > > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > > property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching > > property. > > > > Any Idea? > > Try setting SSLEngine="LunaCA3" instead of SSLEngine="on" in your: > > class="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > > - -chris > > > On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sanaullah, > > > > On 7/10/14, 4:19 AM, Sanaullah wrote: > >>>> is there a way i can use pkcs11 supported SmartCard/token > >>>> when using APR based SSL Connector in tomcat ? PEM encoded > >>>> certificates and keys are stored in smartcard. > >>>> > >>>> I know BIO/NIO connectors supported token/HSM but I am > >>>> looking for APR based connectors? > > > > I'm no expert at such configurations, but since tcnative/APR uses > > OpenSSL for its crypto engine, then it can do anything OpenSSL can > > do. Have you been able to configure e.g. httpd to use this kind of > > setup? If so, there ought to be a way to make it happen using > > Tomcat's APR connector. > > > > -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJT0nI3AAoJEBzwKT+lPKRYIA4P/3KOY/Tq+cLqR/i22DZijqUA > 5mzghWY2UnV0U091piNteVgpQmLf+299//3g1V3E9xpLmuYMsID3bIURKCR3UZp8 > rSO+IAIqs8hupN1uwM+ngQALGFd2BQ+AJWW2lMgzksCWV9OOuABnN2a0QqN1oQPK > OOI5MjIMrl5O1eLW2IA9Iw/prwCSuvIaxl7v/BRCVYudfzh9unoNmOmhPHpXJ5/c > KKf9dn3k3Fs2Y1WBzzPWK52YD2ooT6p6XaecsDwix01LNaJLS/sCmxz1riHxMxey > nlJKY7AiTOYl/ynGeuZFBxy3okzf6ye/yxVMhw+LY/MKC8OpeBC86QWMBSaL/w2s > 6uJPogprWaLqccuKS3Fs+qAr8i5cgREb/mSb5YxG49OGqtf1xqjQr1cvSu08/qx7 > adfq26LjSZok7tnhDV6Fa/RiSJ0p3Be0jvU5XY4n5WMVAqJcc9Z1QomXpxpc+1oU > KQzVLwIcMTeoyFwEfPKtxjU92Gyk+RlBR/lm/i2QreFXqO3MM2rOvYqKnjol4576 > PRfiH3UbcUTlf6fWLCFB7G58HqTuWIp9eZK2GNY1zh+73pBFNAj7+GA3jnBk68MS > NMJnu7gdgSviWEow9K2eDb2by3cPyXjHhmkmPkX+3B567ZPs4EPDHmYBu5FhtaNw > E/iZZ+RLlTWGfUVk2DdJ > =9d4n > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: APR with PKCS11 support
Hi Chris, httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Regards, Sanaullah On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 7/10/14, 4:19 AM, Sanaullah wrote: > > is there a way i can use pkcs11 supported SmartCard/token when > > using APR based SSL Connector in tomcat ? PEM encoded certificates > > and keys are stored in smartcard. > > > > I know BIO/NIO connectors supported token/HSM but I am looking for > > APR based connectors? > > I'm no expert at such configurations, but since tcnative/APR uses > OpenSSL for its crypto engine, then it can do anything OpenSSL can do. > Have you been able to configure e.g. httpd to use this kind of setup? > If so, there ought to be a way to make it happen using Tomcat's APR > connector. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp > fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4 > g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1 > pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T > IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP > ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh > xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd > xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+ > QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp > DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS > eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY > eY83nmjfecWeS81bCvqu > =44eq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: APR with PKCS11 support
Thanks chris, I haven't tried such configurations with httpd. I will explore now. Regards, Sanaullah On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 7/10/14, 4:19 AM, Sanaullah wrote: > > is there a way i can use pkcs11 supported SmartCard/token when > > using APR based SSL Connector in tomcat ? PEM encoded certificates > > and keys are stored in smartcard. > > > > I know BIO/NIO connectors supported token/HSM but I am looking for > > APR based connectors? > > I'm no expert at such configurations, but since tcnative/APR uses > OpenSSL for its crypto engine, then it can do anything OpenSSL can do. > Have you been able to configure e.g. httpd to use this kind of setup? > If so, there ought to be a way to make it happen using Tomcat's APR > connector. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp > fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4 > g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1 > pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T > IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP > ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh > xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd > xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+ > QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp > DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS > eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY > eY83nmjfecWeS81bCvqu > =44eq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
APR with PKCS11 support
Hi All, is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? Regards, Sanaullah
Re: detailed APR/SSL logging
I am still stick to my opinion.. the patches were need to apply for TLS 1.2 SSL/APR. everything is working after applying the patch just this chain ECC certs. I am just looking around where to get the detailed logs. On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 1/7/14, 8:06 AM, Sanaullah wrote: > > This issue is only with my ECC certificates. the whole > > configuration works pretty good with TLS1.2 when i am using the RSA > > certs. openssl selfsinged ECC certs are also working. > > > > > > On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah > > wrote: > > > >> Here is my configuration. I am using openssl. I haven't installed > >> any certificate to JVM truststore. > >> > >> >> maxThreads="150" scheme="https" secure="true" clientAuth="false" > >> SSLProtocol="All" > >> > >> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" > >> SSLCertificateFile="/home/san/certs/pay-test/test.pem" > >> > >> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/> > >> > >> > >> > >> > >> > >> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty > >> wrote: > >> > >>> > >>> > >>> > >>> > >>> > >>>> Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed > >>>> APR/SSL logging From: sanaulla...@gmail.com To: > >>>> users@tomcat.apache.org > >>>> > >>>> Hi, > >>>> > >>>> Anyone knows, how do i can get the detailed APR/SSL debug > >>>> logs. i need > >>> to > >>>> know where my SSL session is getting broken? there is nothing > >>>> in the catalina.out log. > >>>> > >>>> usage: java org.apache.catalina.startup.Catalina [ -config > >>>> {pathname} ] > >>> [ > >>>> -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM > >>>> org.apache.catalina.core.AprLifecycleListener > >>> init > >>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 > >>>> using APR version 1.5.1. Jan 07, 2014 1:43:12 AM > >>>> org.apache.catalina.core.AprLifecycleListener > >>> init > >>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept > >>>> filters [false], random [true]. Jan 07, 2014 1:43:12 AM > >>>> org.apache.catalina.core.AprLifecycleListener initializeSSL > >>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb > >>>> 2013) Jan 07, 2014 1:43:12 AM > >>>> org.apache.coyote.AbstractProtocol init INFO: Initializing > >>>> ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM > >>>> org.apache.coyote.AbstractProtocol init INFO: Initializing > >>>> ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 > >>>> 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: > >>>> Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM > >>>> org.apache.catalina.core.StandardService startInternal INFO: > >>>> Starting service Catalina Jan 07, 2014 1:43:12 AM > >>>> org.apache.catalina.core.StandardEngine startInternal INFO: > >>>> Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 > >>>> 1:43:12 AM org.apache.catalina.startup.HostConfig > >>>> deployDirectory INFO: Deploying web application directory > >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs > >>>> > >>>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > >>>> deployDirectory INFO: Deploying web application directory > >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager > >>>> > >>>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > >>>> deployDirectory INFO: Deploying web application directory > >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT > >>>> > >>>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > >>>> deployDirectory INFO: Deploying web application directory > >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ho
Re: detailed APR/SSL logging
This issue is only with my ECC certificates. the whole configuration works pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged ECC certs are also working. On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah wrote: > Here is my configuration. I am using openssl. I haven't installed any > certificate to JVM truststore. > > port="8443" > SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" >SSLProtocol="All" > > SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" >SSLCertificateFile="/home/san/certs/pay-test/test.pem" > > SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/> > > > > > > On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty wrote: > >> >> >> >> >> >> > Date: Tue, 7 Jan 2014 14:51:21 +0500 >> > Subject: detailed APR/SSL logging >> > From: sanaulla...@gmail.com >> > To: users@tomcat.apache.org >> > >> > Hi, >> > >> > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need >> to >> > know where my SSL session is getting broken? there is nothing in the >> > catalina.out log. >> > >> > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] >> [ >> > -nonaming ] { -help | start | stop } >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> init >> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR >> > version 1.5.1. >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> init >> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters >> > [false], random [true]. >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> > initializeSSL >> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) >> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init >> > INFO: Initializing ProtocolHandler ["http-apr-8080"] >> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init >> > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load >> > INFO: Initialization processed in 696 ms >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService >> > startInternal >> > INFO: Starting service Catalina >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine >> > startInternal >> > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples >> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start >> > INFO: Starting ProtocolHandler ["http-apr-8080"] >> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start >> > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start >> > INFO: Server startup in 935 ms >> > >> > >> > >> -- >> > Server looks up properly with openssl and certs but when i try to >> connect >> > it with openssl s_client
Re: detailed APR/SSL logging
Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty wrote: > > > > > > > Date: Tue, 7 Jan 2014 14:51:21 +0500 > > Subject: detailed APR/SSL logging > > From: sanaulla...@gmail.com > > To: users@tomcat.apache.org > > > > Hi, > > > > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to > > know where my SSL session is getting broken? there is nothing in the > > catalina.out log. > > > > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ > > -nonaming ] { -help | start | stop } > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > init > > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR > > version 1.5.1. > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > init > > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > > [false], random [true]. > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > > initializeSSL > > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > > INFO: Initializing ProtocolHandler ["http-apr-8080"] > > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] > > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load > > INFO: Initialization processed in 696 ms > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService > > startInternal > > INFO: Starting service Catalina > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine > > startInternal > > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 > > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples > > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > > INFO: Starting ProtocolHandler ["http-apr-8080"] > > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 935 ms > > > > > > > -- > > Server looks up properly with openssl and certs but when i try to connect > > it with openssl s_client its getting error > > > -- > > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect > > 127.0.0.1:8443 -tls1_2 -debug > > CONNECTED(0003) > > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) > > - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E > > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W > > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 > > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. > > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 > > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 > > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d > > 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# > > 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 > > 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% > > 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A.. > > 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 > > 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o > > 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. > > 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 > > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 > > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 0
detailed APR/SSL logging
Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.". .. 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5)) - 15 03 03 00 02. read from 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2)) - 02 28 .( 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 3074095420:error:1409E0E5:
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in tomcat 7.0.47 or just trying them-self to look over smart. Hi Mudassir, By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(0003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ..T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..* 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a .. How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, San On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian wrote: > On 1/4/2014 3:08 PM, Christopher Schultz wrote: > > Musassir, > > > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > > Again, we have to submit this as a bug.TLS 1.2 is not working > > > in Tomcat > > > > Tomcat 7.0.74 > > Oracle Java 1.7.0_45 > > tcnative 1.1.29 trunk (essentially 1.2.29 > > > > tcnative$ make clean > > tcnative$ ./configure --with-apr=`which apr-config` > > --with-java-home=/usr/local/java-7 --with-ssl > > tcnative$ time make > > [...] > > make[1]: Leaving directory > > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > > > real0m14.790s > > user0m15.300s > > sys0m1.840s > > > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > > > tcnative$ cd $CATALINA_BA
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel Šebek. may be that need to apply https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1 On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah wrote: > you can create the ECC self singed certificates using the below two > commands of Openssl > > openssl ecparam -out sinful.key -name prime256v1 -genkey > openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM > -days 3650 > > root@ubuntu:/# openssl s_client -connect localhost:8443 > CONNECTED(0003) > Server certificate > -BEGIN CERTIFICATE- > MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC > TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF > YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw > MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD > VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq > hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg > +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E > FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR > JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p > X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ > EmVg3uQq9XxPfiI= > -END CERTIFICATE- > > --- > SSL handshake has read 836 bytes and written 453 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA > Server public key is 256 bit > Secure Renegotiation IS supported > > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher: ECDH-ECDSA-AES256-SHA > Session-ID: > 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 > Session-ID-ctx: > Master-Key: > 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 > > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de > 9._1x.f}G{.. > 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e > ...%.7s.P..> > 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 > .Qb..m.6 > 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f > q^.4..[. > 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 > \?m...;..6.?..U. > 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 > H7s.u"..(...|..6 > 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab > D13nQ.O^ > 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c > ..{.i..w.:.j..0| > 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 > ...?..a.-XK. > 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 > IL"mV.U..'z? > 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 > ...Nw.."...h > > Start Time: 1388891510 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > > > I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers > > Here is my config > tomcat 7.0.47 > libapr 1.5.0-1 > tcnative 1.1.29-1 > > SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >SSLProtocol="all" >SSLCertificateFile="/home/san/sinful.pem" >SSLCertificateKeyFile="/home/san/sinful.key" /> > > > > > On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Mark, >> >> On 1/4/14, 6:37 PM, Mark Eggers wrote: >> > On 1/4/2014 1:18 PM, Christopher Schultz wrote: >> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> >> >> Musassir, >> >> >> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: >> >>> Musassir, >> >>> >> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: >> >>>> Again, we have to submit this as a bug.TLS 1.2 is not >> >>>> working in Tomcat >> >>> >> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk >> >>> (essentially 1.2.29 >> >>> >> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which >> >>> apr-config` --with-java-home=/usr/local/java-7 --wi
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
you can create the ECC self singed certificates using the below two commands of Openssl openssl ecparam -out sinful.key -name prime256v1 -genkey openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650 root@ubuntu:/# openssl s_client -connect localhost:8443 CONNECTED(0003) Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- --- SSL handshake has read 836 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDH-ECDSA-AES256-SHA Session-ID: 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 Session-ID-ctx: Master-Key: 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de 9._1x.f}G{.. 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e ...%.7s.P..> 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 .Qb..m.6 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f q^.4..[. 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 \?m...;..6.?..U. 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 H7s.u"..(...|..6 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab D13nQ.O^ 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c ..{.i..w.:.j..0| 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 ...?..a.-XK. 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 IL"mV.U..'z? 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 ...Nw.."...h Start Time: 1388891510 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers Here is my config tomcat 7.0.47 libapr 1.5.0-1 tcnative 1.1.29-1 On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 1/4/14, 6:37 PM, Mark Eggers wrote: > > On 1/4/2014 1:18 PM, Christopher Schultz wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >> > >> Musassir, > >> > >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: > >>> Musassir, > >>> > >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > Again, we have to submit this as a bug.TLS 1.2 is not > working in Tomcat > >>> > >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk > >>> (essentially 1.2.29 > >>> > >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which > >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl > >>> tcnative$ time make [...] make[1]: Leaving directory > >>> `/home/cschultz/projects/tomcat-native-1.1.x/native' > >>> > >>> real0m14.790s user0m15.300s sys0m1.840s > >>> > >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin > >>> > >>> tcnative$ cd $CATALINA_BASE > >>> > >>> tomcat$ cat conf/server.xml > >>> > >>> [...] >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="all" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] > >>> > >>> tomcat$ bin/startup.sh > >>> > >>> [...] Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded > >>> APR based Apache Tomcat Native library 1.1.30 using APR version > >>> 1.4.6. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR > >>> capabilities: IPv6 [true], sendfile [true], accept filters > >>> [false], random [true]. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener initializeSSL > >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb > >>> 2013) [...] > >>> > >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify > >>> error:num=19:self signed certificate in certificate chain > >>> [...] SSL-Session: Protocol : TLSv1.2 Cipher: > >>> D
Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi Chuck. I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 Regards, San On Fri, Jan 3, 2014 at 12:59 PM, Mudassir Aftab wrote: > > > -- Forwarded message -- > From: Caldarale, Charles R > Date: Fri, Jan 3, 2014 at 10:45 AM > Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > To: Tomcat Users List > > > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > Should i use following APR connector attribute ? > > >protocol="org.apache.coyote.http11.Http11AprProtocol" > >maxThreads="200" > >sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" > >clientAuth="false" > >ciphers="AES256-SHA256" > >scheme="https" secure="true" SSLEnabled="true" > >SSLCertificateFile="p.pem" > >SSLCertificateKeyFile="key.pem" > >SSLCACertificateFile="AdminCA1.pem" /> > > For the third time, the APR has no sslProtocol nor > sslEnabledProtocols attributes; the proper ones for specifying the protocol > and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively. > For the last time, read the doc: > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > (If you don't start paying attention to the responses you're getting, you > will end up just being ignored.) > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >